Over the past several years, the growing ubiquitousness of smartphones and tablets, and increasingly of wearables and other network-enabled devices (the “Internet-of-Things”) has disrupted the traditional IT Enterprise. In many firms, this has caused an erosion of the “network perimeter,” or the boundary between the firm's own private network and the public Internet. Endpoint security management has also become more difficult, as many more devices on a typical network are outside of the security perimeter. For example, many such devices have connections that may bypass the network firewall, or the devices may otherwise step outside the firewall.
According to a 2014 Ponemon Institute study, the average modern organization has over 23,000 mobile devices in use on their network, with over 37% of them carrying corporate information. The same study found that the majority of chief information security officers (CISOs) had experienced data losses from employee smartphones; many also lamented the difficulty in preventing the use of insecure devices by employees. The tight coupling of mobile solutions and cloud technology has led to many organizations no longer being able to easily control their data; often, many cannot even be certain where their data is. Time and money spent improving the security of a crucial corporate system, like a corporate customer relationship management (CRM) system, may be completely wasted if employees forgo its use in favor of personal accounts on cloud-based CRM applications synced to their insecure phones.
Worse yet, most organizations do not even know the degree to which mobile endpoints represent security risks to the organization. For example, it might not be clear what percentage of employees are using jailbroken phones, what percentage have installed or run trojan-horse applications that leech data, or what percentage update their device software to fix known security flaws. Many enterprise-connected phones may still be susceptible to known device attacks, making security protocols relatively easy to bypass. Unknown—potentially huge—amounts of corporate data may be exposed.